SaMD Risk Categories (IMDRF): What They Mean & How They Relate to FDA Review

IMDRF categorizes SaMD risk (I–IV) by crossing significance of information (inform, drive, treat/diagnose) with the condition’s seriousness (non-serious, serious, critical). IV = treat/diagnose critical; I = inform serious/non-serious. These categories guide evidence rigor—not U.S. device class. FDA review depends on FDA classification/product code (many Class I exempt; Class II 510(k); novel De Novo; high-risk PMA).

Why SaMD Risk Categories Matter

If you’re building medical software, understanding risk categorization isn’t optional—it’s the starting line.

Yet many teams confuse the IMDRF’s I–IV system with the FDA’s Class I–III device classification. They’re related—but not interchangeable. This confusion leads to:

• Wrong assumptions about whether 510(k) is needed

• Missed regulatory deadlines

• Unnecessary overregulation (or worse—underregulation)

  
  

Let’s clear it up.

IMDRF’s SaMD Risk Framework Explained

The International Medical Device Regulators Forum (IMDRF) created the SaMD risk framework (N41) to help regulators around the world evaluate medical software consistently.

It sorts software into four categories (I–IV) based on:

1. The significance of the information provided by the software (Inform → Drive → Diagnose/Treat)

2. The state of the healthcare condition it addresses (Non-serious → Serious → Critical)

   
   

This framework is widely adopted—not just by the FDA, but also in the EU, Japan, Australia, and Canada.

Understanding the Four SaMD Categories

Here’s what each category means:

Category I — “Inform”

• Software informs clinical management

• Low-risk context (e.g., mild acne, general wellness)

  
  

Category II — “Drive”

• Software influences decisions

• Used in non-critical or moderate conditions

  
  

Category III — “Diagnose”

• Supports diagnosis or staging of serious conditions

• Used to guide treatment decisions

  
  

Category IV — “Treat / Critical”

• Software treats or directly manages life-threatening conditions

• Highest consequence if it malfunctions

IMDRF SaMD Categories Table

Mapping IMDRF Categories to FDA Device Classes

This is where things get tricky.

The FDA doesn’t officially “translate” IMDRF categories into Class I/II/III. But in practice, this is how things tend to map:

Category I → FDA Class I

• Most exempt from premarket review

• May fall under enforcement discretion

• Example: a stress-level tracker using survey data

  
  

Category II–III → FDA Class II

• Often require 510(k) or De Novo submissions

• Example: software that flags early signs of diabetic retinopathy

  
  

Category IV → FDA Class III

• Require PMA (Premarket Approval)

• Often need clinical trials or real-world evidence

• Example: adaptive software that personalizes chemotherapy regimens

  
  

Which Categories Trigger FDA Review?

Here’s the general rule of thumb:

Category I

✅ Often exempt

⚠️ But don’t assume—check intended use carefully

📝 May still need listing or enforcement policy analysis

Category II & III

🚩 Typically require 510(k)

🧪 May need performance or clinical validation

Category IV

🔒 Requires PMA

📊 Extensive safety, efficacy, and risk documentation expected

Note: FDA exceptions exist. Always verify with a regulatory expert—or use Complizen to guide you.

The Fastest Path to Market

No more guesswork. Move from research to a defendable FDA strategy, faster. Backed by FDA sources. Teams report 12 hours saved weekly.

• FDA Product Code Finder, find your code in minutes.

• 510(k) Predicate Intelligence, see likely predicates with 510(k) links.

• Risk and Recalls, scan MAUDE and recall patterns.

• FDA Tests and Standards, map required tests from your code.

• Regulatory Strategy Workspace, pull it into a defendable plan.

👉 Start free at complizen.ai

FAQs

Q: What’s the difference between IMDRF and Rule 11 (EU MDR)?

Rule 11 is a software-specific risk rule under EU MDR. IMDRF is a global framework. Many Notified Bodies use both to cross-reference decisions.

Q: Do SaMD risk categories apply under EU MDR?

They’re not official in the EU—but they're widely referenced by regulators, notified bodies, and guidance bodies when evaluating software claims.

Q: Does the FDA ignore Category I?

Not always. FDA may exercise enforcement discretion, but if your app sounds remotely diagnostic or therapeutic, you’ll still need to clarify classification.